< Home

firewall defend tcp-flag enable

Function

The firewall defend tcp-flag enable command enables the defense against TCP packet flag bit attacks.

The undo firewall defend tcp-flag enable command disables the defense against TCP packet flag bit attacks.

Format

firewall defend tcp-flag enable

undo firewall defend tcp-flag enable

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

By default, the defense against TCP packet flag bit attacks is disabled.

After the TCP packet flag bit attack defense is enabled, the FW checks each flag bit of TCP packets. If the packets match any of the following conditions, the FW considers them as attack packets, discards them, and reports an attack log:
  • All flag bits are 1.
  • All flag bits are 0.
  • The SYN flag bit, and the FIN flag bit are 1.
  • The SYN flag bit, and the RST flag bit are 1.
  • The FIN flag bit is 1, but the ACK flag bit is 0.

Example

# Enable the defense against TCP packet flag bit attacks.

<sysname> system-view
[sysname] firewall defend tcp-flag enable
Parent Topic: Single-Packet Attack Defense Configuration Commands
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >